Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.
This issue affects Symmetric Key Agreement Platform: before 26.03.
AnalysisAI
Sensitive key material disclosure in Arqit Symmetric Key Agreement Platform versions before 26.03 allows remote unauthenticated attackers to retrieve the QKEY (a critical input to the OTA-Quantum device registration process) along with internal system keys via a plain HTTP GET request. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%), but the high CVSS of 8.7 with scope-change reflects the severe downstream cryptographic compromise possible once these keys leak. A vendor patch is available in version 26.03.
Technical ContextAI
The Arqit Symmetric Key Agreement (SKA) Platform underpins the company's quantum-safe symmetric keying service, distributing shared cryptographic material to endpoints that participate in the 'OTA-Quantum' registration and key-agreement flow. The QKEY identified in this CVE is a seed/input value bound to that registration process, meaning its disclosure undermines the trust anchor for derived session keys. The CWE-749 mapping (Exposed Dangerous Method or Function) indicates the root cause is a sensitive management or retrieval endpoint left reachable over an unauthenticated, unencrypted HTTP channel - an interface that should have required mutual authentication, TLS, and authorization. CPE coverage (cpe:2.3:a:arqit:symmetric_key_agreement_platform) confirms a single affected product line rather than a downstream integration issue.
RemediationAI
Upgrade the Arqit Symmetric Key Agreement Platform to version 26.03 or later - vendor-released patch is available per advisory data; consult the CVCN and EUVD references (https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33583, https://nvd.nist.gov/vuln/detail/CVE-2026-33583) for vendor-specific upgrade guidance. Because QKEY and internal system keys may have been exposed, after patching also rotate any keys generated or distributed by the platform and re-register affected OTA-Quantum devices to invalidate material that could have been harvested. As compensating controls until patching, restrict network reachability of the SKA Platform's HTTP management interface to an isolated administrative VLAN or jump host, place it behind a reverse proxy that enforces mutual TLS and authentication, and block inbound port 80 to the platform at the perimeter - note that doing so will break any legitimate integrations currently relying on the plaintext endpoint, so inventory dependent clients first. Monitoring HTTP access logs on the platform for GET requests targeting key-retrieval paths is a useful detection layer while remediation is in flight.
Unauthenticated access to an exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform allows re
Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by impr
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30113
GHSA-p8mh-jv2c-p65g